[PATCH 4.19 1/2] netfilter: xt_TEE: fix wrong interface selection

[PATCH 4.19 1/2] netfilter: xt_TEE: fix wrong interface selection

[Subash Abhinov Kasiviswanathan]

From: Taehee Yoo <ap420073@gmail.com>

commit f24d2d4f9586985509320f90308723d3d0c4e47f upstream.

TEE netdevice notifier handler checks only interface name. however
each netns can have same interface name. hence other netns's interface
could be selected.

test commands:
   %ip netns add vm1
   %iptables -I INPUT -p icmp -j TEE --gateway 192.168.1.1 --oif enp2s0
   %ip link set enp2s0 netns vm1

Above rule is in the root netns. but that rule could get enp2s0
ifindex of vm1 by notifier handler.

After this patch, TEE rule is added to the per-netns list.

Fixes: 9e2f6c5d78db ("netfilter: Rework xt_TEE netdevice notifier")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_TEE.c | 69 +++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 52 insertions(+), 17 deletions(-)

diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 0d0d68c..673ad20 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -14,6 +14,8 @@
 #include <linux/skbuff.h>
 #include <linux/route.h>
 #include <linux/netfilter/x_tables.h>
+#include <net/net_namespace.h>
+#include <net/netns/generic.h>
 #include <net/route.h>
 #include <net/netfilter/ipv4/nf_dup_ipv4.h>
 #include <net/netfilter/ipv6/nf_dup_ipv6.h>
@@ -25,8 +27,15 @@ struct xt_tee_priv {
 	int			oif;
 };
 
+static unsigned int tee_net_id __read_mostly;
 static const union nf_inet_addr tee_zero_address;
 
+struct tee_net {
+	struct list_head priv_list;
+	/* lock protects the priv_list */
+	struct mutex lock;
+};
+
 static unsigned int
 tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
@@ -51,17 +60,16 @@ struct xt_tee_priv {
 }
 #endif
 
-static DEFINE_MUTEX(priv_list_mutex);
-static LIST_HEAD(priv_list);
-
 static int tee_netdev_event(struct notifier_block *this, unsigned long event,
 			    void *ptr)
 {
 	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+	struct net *net = dev_net(dev);
+	struct tee_net *tn = net_generic(net, tee_net_id);
 	struct xt_tee_priv *priv;
 
-	mutex_lock(&priv_list_mutex);
-	list_for_each_entry(priv, &priv_list, list) {
+	mutex_lock(&tn->lock);
+	list_for_each_entry(priv, &tn->priv_list, list) {
 		switch (event) {
 		case NETDEV_REGISTER:
 			if (!strcmp(dev->name, priv->tginfo->oif))
@@ -79,13 +87,14 @@ static int tee_netdev_event(struct notifier_block *this, unsigned long event,
 			break;
 		}
 	}
-	mutex_unlock(&priv_list_mutex);
+	mutex_unlock(&tn->lock);
 
 	return NOTIFY_DONE;
 }
 
 static int tee_tg_check(const struct xt_tgchk_param *par)
 {
+	struct tee_net *tn = net_generic(par->net, tee_net_id);
 	struct xt_tee_tginfo *info = par->targinfo;
 	struct xt_tee_priv *priv;
 
@@ -106,9 +115,9 @@ static int tee_tg_check(const struct xt_tgchk_param *par)
 		priv->oif     = -1;
 		info->priv    = priv;
 
-		mutex_lock(&priv_list_mutex);
-		list_add(&priv->list, &priv_list);
-		mutex_unlock(&priv_list_mutex);
+		mutex_lock(&tn->lock);
+		list_add(&priv->list, &tn->priv_list);
+		mutex_unlock(&tn->lock);
 	} else
 		info->priv = NULL;
 
@@ -118,12 +127,13 @@ static int tee_tg_check(const struct xt_tgchk_param *par)
 
 static void tee_tg_destroy(const struct xt_tgdtor_param *par)
 {
+	struct tee_net *tn = net_generic(par->net, tee_net_id);
 	struct xt_tee_tginfo *info = par->targinfo;
 
 	if (info->priv) {
-		mutex_lock(&priv_list_mutex);
+		mutex_lock(&tn->lock);
 		list_del(&info->priv->list);
-		mutex_unlock(&priv_list_mutex);
+		mutex_unlock(&tn->lock);
 		kfree(info->priv);
 	}
 	static_key_slow_dec(&xt_tee_enabled);
@@ -156,6 +166,21 @@ static void tee_tg_destroy(const struct xt_tgdtor_param *par)
 #endif
 };
 
+static int __net_init tee_net_init(struct net *net)
+{
+	struct tee_net *tn = net_generic(net, tee_net_id);
+
+	INIT_LIST_HEAD(&tn->priv_list);
+	mutex_init(&tn->lock);
+	return 0;
+}
+
+static struct pernet_operations tee_net_ops = {
+	.init = tee_net_init,
+	.id   = &tee_net_id,
+	.size = sizeof(struct tee_net),
+};
+
 static struct notifier_block tee_netdev_notifier = {
 	.notifier_call = tee_netdev_event,
 };
@@ -164,22 +189,32 @@ static int __init tee_tg_init(void)
 {
 	int ret;
 
-	ret = xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
-	if (ret)
+	ret = register_pernet_subsys(&tee_net_ops);
+	if (ret < 0)
 		return ret;
+
+	ret = xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
+	if (ret < 0)
+		goto cleanup_subsys;
+
 	ret = register_netdevice_notifier(&tee_netdev_notifier);
-	if (ret) {
-		xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
-		return ret;
-	}
+	if (ret < 0)
+		goto unregister_targets;
 
 	return 0;
+
+unregister_targets:
+	xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
+cleanup_subsys:
+	unregister_pernet_subsys(&tee_net_ops);
+	return ret;
 }
 
 static void __exit tee_tg_exit(void)
 {
 	unregister_netdevice_notifier(&tee_netdev_notifier);
 	xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
+	unregister_pernet_subsys(&tee_net_ops);
 }
 
 module_init(tee_tg_init);
-- 
1.9.1

[PATCH 4.19 2/2] netfilter: xt_TEE: add missing code to get interface index in checkentry.

[Subash Abhinov Kasiviswanathan]

From: Taehee Yoo <ap420073@gmail.com>

commit 18c0ab87364ac5128a152055fdcb1d27e01caf01 upstream.

checkentry(tee_tg_check) should initialize priv->oif from dev if possible.
But only netdevice notifier handler can set that.
Hence priv->oif is always -1 until notifier handler is called.

Fixes: 9e2f6c5d78db ("netfilter: Rework xt_TEE netdevice notifier")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_TEE.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 673ad20..1dae02a 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -104,6 +104,8 @@ static int tee_tg_check(const struct xt_tgchk_param *par)
 		return -EINVAL;
 
 	if (info->oif[0]) {
+		struct net_device *dev;
+
 		if (info->oif[sizeof(info->oif)-1] != '\0')
 			return -EINVAL;
 
@@ -115,6 +117,11 @@ static int tee_tg_check(const struct xt_tgchk_param *par)
 		priv->oif     = -1;
 		info->priv    = priv;
 
+		dev = dev_get_by_name(par->net, info->oif);
+		if (dev) {
+			priv->oif = dev->ifindex;
+			dev_put(dev);
+		}
 		mutex_lock(&tn->lock);
 		list_add(&priv->list, &tn->priv_list);
 		mutex_unlock(&tn->lock);
-- 
1.9.1

Re: [PATCH 4.19 2/2] netfilter: xt_TEE: add missing code to get interface index in checkentry.

[Pablo Neira Ayuso]

Hi Greg,

Cc'ing stable@vger.kernel.org.

Subash (he's on Cc) needs these two fixes for 4.19:

f24d2d4f9586985509320f90308723d3d0c4e47f
netfilter: xt_TEE: fix wrong interface selection

18c0ab87364ac5128a152055fdcb1d27e01caf01
netfilter: xt_TEE: add missing code to get interface index in checkentry.

Subash forgot to Cc stable@vger.kernel.org in his two patches, sorry
about that.

Thanks!

On Fri, Mar 08, 2019 at 04:38:14PM -0700, Subash Abhinov Kasiviswanathan wrote:
> From: Taehee Yoo <ap420073@gmail.com>
> 
> commit 18c0ab87364ac5128a152055fdcb1d27e01caf01 upstream.
> 
> checkentry(tee_tg_check) should initialize priv->oif from dev if possible.
> But only netdevice notifier handler can set that.
> Hence priv->oif is always -1 until notifier handler is called.
> 
> Fixes: 9e2f6c5d78db ("netfilter: Rework xt_TEE netdevice notifier")
> Signed-off-by: Taehee Yoo <ap420073@gmail.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>  net/netfilter/xt_TEE.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
> index 673ad20..1dae02a 100644
> --- a/net/netfilter/xt_TEE.c
> +++ b/net/netfilter/xt_TEE.c
> @@ -104,6 +104,8 @@ static int tee_tg_check(const struct xt_tgchk_param *par)
>  		return -EINVAL;
>  
>  	if (info->oif[0]) {
> +		struct net_device *dev;
> +
>  		if (info->oif[sizeof(info->oif)-1] != '\0')
>  			return -EINVAL;
>  
> @@ -115,6 +117,11 @@ static int tee_tg_check(const struct xt_tgchk_param *par)
>  		priv->oif     = -1;
>  		info->priv    = priv;
>  
> +		dev = dev_get_by_name(par->net, info->oif);
> +		if (dev) {
> +			priv->oif = dev->ifindex;
> +			dev_put(dev);
> +		}
>  		mutex_lock(&tn->lock);
>  		list_add(&priv->list, &tn->priv_list);
>  		mutex_unlock(&tn->lock);
> -- 
> 1.9.1
> 

Re: [PATCH 4.19 2/2] netfilter: xt_TEE: add missing code to get interface index in checkentry.

[Sasha Levin]

On Mon, Mar 11, 2019 at 01:31:45PM +0100, Pablo Neira Ayuso wrote:
>Hi Greg,
>
>Cc'ing stable@vger.kernel.org.
>
>Subash (he's on Cc) needs these two fixes for 4.19:
>
>f24d2d4f9586985509320f90308723d3d0c4e47f
>netfilter: xt_TEE: fix wrong interface selection
>
>18c0ab87364ac5128a152055fdcb1d27e01caf01
>netfilter: xt_TEE: add missing code to get interface index in checkentry.
>
>Subash forgot to Cc stable@vger.kernel.org in his two patches, sorry
>about that.

Queued for 4.19, thank you.

--
Thanks,
Sasha